Lesson 5: Enterprise Network Architecture

OSI Model Layers

• Layer 1 (Physical): Cabling, MAC addresses
• Layer 2 (Data Link): VLANs, switches, MAC filtering, 802.1X
• Layer 3 (Network): IP routing, subnets, firewalls
• Layer 4/7 (Transport/Application): TCP/UDP, HTTP/DNS

Security Context by Layer:

• Layer 1: Unauthorized physical port/wireless access
• Layer 2: MAC spoofing, VLAN hopping, MITM in local segment
• Layer 3: IP spoofing, communication across network zones
• Layer 4: Unauthorized TCP/UDP port connections
• Layer 5: Session hijacking
• Layer 6: Encryption/encoding bypass
• Layer 7: Direct application service exploitation

Security Zones

• Public/Private Zones: Segment traffic (guest vs internal networks)
• VLANs: Logical isolation (VLAN 10 for HR, VLAN 20 for Finance)
• VLANs with ACLs create secure segments, effective internal traffic control

Security Controls:

• Port Security: Disable unused ports, MAC filtering, 802.1X (EAP/RADIUS)
• Physical Isolation: Air-gapped networks (no external connectivity)
  • Risks: Infected USB drives (Stuxnet), insider threats
  • Mitigations: Disable unused ports, encryption for removable media, Faraday cages

Network Security Appliances

Firewalls:

• Packet Filtering (Layer 3): Blocks by IP/port
• Stateful Inspection (Layer 4): Tracks TCP handshakes
• NGFW (Layer 7): Deep packet inspection, blocks malware/exploits in HTTP
• UTM (Unified Threat Management): Combines firewall, IPS, anti-malware

Balance: Enhanced security vs manageable complexity (UTM internally, NGFW at boundaries)

IDS/IPS:

• IDS (Passive): Alerts on threats
• IPS (Active): Blocks threats inline

Proxy Servers:

• Forward Proxy: Filters outbound traffic (block social media)
• Reverse Proxy: Protects inbound traffic (load balancing)

Other Appliances:

• Load Balancers: Distribute traffic (round-robin, health checks)
• WAF (Web Application Firewall): Blocks SQLi/XSS attacks

NGFW vs WAF:

• NGFW: Entire network protection (all protocols), network perimeter
• WAF: Web apps only (HTTP/HTTPS), in front of web servers

Network Perimeter: Boundary between internal and external networks where security controls are placed

Placement & Attributes:

• Inline vs TAP: Inline blocks traffic, TAPs monitor only
• Fail-Open (Fail-Safe): Defaults to allowing access (sacrifices security for availability)
• Fail-Closed (Fail-Secure): Defaults to blocking access (sacrifices availability for security)

VPNs & Remote Access

VPN Types:

• Remote Access VPN: Client-to-site (1 user → office)
• Site-to-Site VPN: Branch office to HQ (office ↔ office)

VPN Protocols:

IPsec:

• AH (Authentication Header): Integrity only
• ESP (Encapsulating Security Payload): Encryption + integrity
• Modes:
  • Transport (host-to-host): Encrypts payload only, original IP headers exposed
  • Tunnel (gateway-to-gateway): Encrypts entire packet, new header wraps it

Components:

• IKE (Internet Key Exchange): Negotiates encryption keys (IKEv2 improves mobile support)
• NAT-T (NAT Traversal): Allows IPsec through NAT devices

Other Protocols:

• TLS/SSL VPNs: HTTPS for secure web-based access

Remote Access Tools:

• RDP (Remote Desktop Protocol): GUI access to Windows
• SSH (Secure Shell): Encrypted command-line access
• Jump Servers: Secure gateway for admin access

Authentication & Access Control

802.1X:

Port-based NAC (uses RADIUS for authentication)

NAC (Network Access Control): Controls which devices can connect based on security policies

RADIUS vs TACACS+:

• RADIUS: Combines auth + authz, UDP
• TACACS+: Separates auth/authz, TCP, Cisco proprietary

Architecture Considerations

• Defense-in-Depth: Layered controls (firewalls → IDS → encryption)
• Availability: Redundancy (load balancers), failover plans
• Patch Management: Critical for firewalls/VPNs

Important Port Numbers

Authentication/Remote Access:

• IPsec: 500 (IKE), 4500 (NAT-T), Protocol 50 (ESP), Protocol 51 (AH)
• TLS/SSL: 443 (HTTPS), 993 (IMAPS)
• SSH: 22
• RDP: 3389
• RADIUS: 1812 (auth), 1813 (acct)
• TACACS+: 49
• HTTP: 80 (unsecured), 443 (HTTPS secured)
• DNS: 53
• FTP: 20 (data), 21 (control)
• SFTP: 22
• Telnet: 23 (insecure, not used)
• LDAP: 389, LDAPS: 636

Email:

• SMTP: 25 (non-secure), 465 (SSL), 587 (TLS)
• POP3: 110, POP3S: 995
• IMAP: 143, IMAPS: 993

File Sharing/Network Services:

• SMB: 445
• NetBIOS: 137-139
• SNMP: 161, SNMP Trap: 162
• Syslog: 514
• DHCP: 67/68

VPN:

• L2TP: 1701
• PPTP: 1723 (legacy, insecure)
• OpenVPN: 1194

Virtualization Terms

• VDE (Virtual Desktop Environment): General term for virtualized desktop OS
• VDI (Virtual Desktop Infrastructure): Centralized hosting of virtual desktops
• Application Virtualization: Stream specific apps without full desktop
• Containerization: Isolate apps/services (DevOps, microservices)
• VM: Full OS sandboxing
• Thin Client: Lightweight endpoint for VDI access